PkgRadar

Package evidence

[email protected]

Remote Dependency Spec: dependencies.@neaps/api="https://pkg.pr.new/openwatersio/neaps/@neaps/api@4eed5db"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
19
Versions published
12Established · −30% score
First published
Mar 2025
Publisher
bkeepers

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publisherbkeepers
Artifact bytes465,024
Previous version2.0.0-beta.0
Published2026-06-12T16:19:46.859Z
SHA-256e5585c69230f68a1b5d413077fc54e2434a4b70992a32a3c97084f9d8724da23

Why flagged

What the scanner saw

Remote Dependency Spec: dependencies.@neaps/api="https://pkg.pr.new/openwatersio/neaps/@neaps/api@4eed5db"

5 candidate cluster(s) currently reference this release. 3 remote tarball(s) were followed statically.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
42Score
2.0.0-beta.1Version
Status history (1 event)
  1. newavailable · risk high · score 42 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burstactive

bkeepers

2 members · evidence strength 60
Shared payload hashactive

adae118466ba36a54975b52881a4e39dcd873a95179175a1867b17c59c550d16

2 members · evidence strength 64
Shared payload hashactive

93ef88f7ae8c2f73ea5b4999a9bebef40f29c75c6ebd316aab4921c265c07bd1

2 members · evidence strength 64
Shared remote URLactive

https://pkg.pr.new/openwatersio/neaps/@neaps/api@4eed5db

2 members · evidence strength 59
Shared remote URLactive

https://pkg.pr.new/openwatersio/neaps@4eed5db

2 members · evidence strength 59
Publisher / release actor burstcandidate

bkeepers

2 members · max score 96
Shared remote URLcandidate

https://pkg.pr.new/openwatersio/neaps@4eed5db

2 members · max score 12
Shared remote URLcandidate

https://pkg.pr.new/openwatersio/neaps/@neaps/api@4eed5db

2 members · max score 12
Shared payload hashcandidate

adae118466ba36a54975b52881a4e39dcd873a95179175a1867b17c59c550d16

2 members · max score 12
Shared payload hashcandidate

93ef88f7ae8c2f73ea5b4999a9bebef40f29c75c6ebd316aab4921c265c07bd1

2 members · max score 12

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highRemote Dependency Specpackage.jsondependencies.@neaps/api="https://pkg.pr.new/openwatersio/neaps/@neaps/api@4eed5db"12
highRemote Dependency Specpackage.jsondependencies.@neaps/react="https://pkg.pr.new/openwatersio/neaps/@neaps/react@4eed5db"12
highRemote Dependency Specpackage.jsondependencies.neaps="https://pkg.pr.new/openwatersio/neaps@4eed5db"12

Remote payloads

Followed remote artifacts

SourceURLRiskScoreSummary
dependencies.@neaps/apihttps://pkg.pr.new/openwatersio/neaps/@neaps/api@4eed5dbhigh12large_javascript_payload: 31319948 bytes
dependencies.@neaps/reacthttps://pkg.pr.new/openwatersio/neaps/@neaps/react@4eed5dblow0no remote findings
dependencies.neapshttps://pkg.pr.new/openwatersio/neaps@4eed5dbhigh12remote_dependency_spec: dependencies.@neaps/tide-predictor="https://pkg.pr.new/openwatersio/neaps/@neaps/tide-predictor@4eed5dbde3e130d517224b9ede11f2475eb0ada3"

Manifest

Package metadata

Scripts9
  • buildtsc -b && vite build
  • devvite
  • linteslint .
  • prepacknpm run build
  • previewvite preview
  • testnpm run test:node && npm run test:browser
  • test:browservitest run --config vitest.config.browser.ts
  • test:nodevitest run --config vitest.config.node.ts
  • test:runnpm run test:node && npm run test:browser
Dependencies7
  • @neaps/apihttps://pkg.pr.new/openwatersio/neaps/@neaps/api@4eed5db
  • @neaps/reacthttps://pkg.pr.new/openwatersio/neaps/@neaps/react@4eed5db
  • @signalk/server-api^2.0
  • express^4.0
  • neapshttps://pkg.pr.new/openwatersio/neaps@4eed5db
  • react^19.1.0
  • react-dom^19.1.0